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DETAILED ACTION 

Claim Objections 

1 . Claim 29 is objected to because of the following informalities: plan is misspelled 
as plane. Appropriate correction is required. 



Response to Arguments 

2. Applicant's arguments filed 03-27-2009 have been fully considered but they are 
not persuasive. Applicant's arguments with respect to claims 1-14, 19-24, 29-36 and 
37-44 have been considered but are moot in view of the new interpretation of the prior 
art rejection necessitated by Applicant's amendments. 

3. In addressing Applicant's arguments with respect to 35 U.S.C. 1 01 , Applicant 
asserts the amendments satisfy the transformation test and then recites the new 
limitations and support. It appears Applicant has not overcome the rejection of record 
for several reasons. On the outset, a substantive discussion of how the new limitations 
overcome the transformation test has not been outlined. In particular, of the two "paths" 
it appears that Applicant is asserting that information has been transformed. In 
particular, the Bilski decision regarding transformation held that the process did not 
"transform any article to a different state or thing." In addressing transformation the 
court further stated, "[pjurported transformation or manipulation simply of public or 
private legal obligations or relationships, business risks, or other such abstractions 
cannot meet the test because they are not physical objects or substances, and they 
are not representative of physical objects or substances. Applicants' process at 
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most incorporates only such ineligible transformations." In re Bilski, 545 F.3d 943, at 

963-964 (Fed. Cir. 2008). It appears that, for at least these reasons, Applicant's 

invention would fail the transformation test. In fact, no real transformation of physical 

objects or substances occurs. It is believed that the Examiner has already outlined the 

machine test as it relates to extra-solution activity previously and continued in the 

current rejection under 35 U.S.C. 101. Furthermore, as stated previously, claims 29-32 

and 34-44, it is asserted that the inherent teachings of Abrahams itself render the 

limitations of these claims unpatentable. For example, as explained in the 101 rejection 

of record, Applicant's disclosure recites that the risk mitigation is a product of a risk 

review board that looks to past risks and suggests new mitigation plans based on the 

old plans including preventative and corrective controls. In this respect, Abrahams in 

Figure 1B shows a system by which existing risk records are used in profiles and new 

risk records are stored in a knowledge database for use by others. Abrahams states 

unequivocally in paragraph [0053] that the knowledge base learns over time thereby 

implying that his system is capable of being used to modify the overall process. Other 

similar recitations occur in paragraphs [0019], [0058], [0064], and [0070]. 

4. In addressing Applicant's primary argument with respect to the independent 

claims, Applicant asserts: 

By comparison, Abrahams Table 1 does not have multiple risk categories and 
does not provide "category specific" definitions. Table 1 is generic and is applied 
to all specified risks and risk categories in the same manner. Even assuming 
(albeit incorrectly) that Abrahams did teach risk categories as that term is used 
by Applicant, Abrahams still teaches using the same generic Table 1 to assign Pf 
values. If the Abrahams user encounters a hardware risk than the user must 
decide based on his or her own subjective assessment whether the risk is "rare", 
"unlikely", "possible", "likely" or "almost certain". If the user encounters a 
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technology risk, he or she repeats the same assessment. These "levels" are 
certainly not category-specific; Table I does not provide a different definition of 
"rare" for a hardware risk, a software risk, a technology risk and so forth. 
Furthermore, the terms "rare", "unlikely" etc. are not 'standardized qualitative 
probability definitions', they are undefined. Table 1 itself includes the 
parenthetical "subjective value" under the heading Level. Applicant invites the 
Examiner to simply compare Applicant's Figure 9 as a representative example of 
a Pf table with Abrahams Table 1 , the differences we are claiming are clear. The 
Examiner is correct that Applicant's claimed invention does not eliminate all user 
subjectivity. The user must still decide which entry to select. However, the user is 
provided with a qualitative description tailored to the particular risk 



Applicant's primary argument appears to rely on the categories of subjective 
assessment. The Examiner has provided what, may be broadly interpreted as, risk 
categories with "category specific definitions" as described in the previous rejection. 
The selection of the risk assessment is subjective while the actual risk categories are 
"category specific" having "standardized" terms that are qualitative with an 
objective/qualitative definition. In fact, after subjective selection of the risk, terms like 
"rare", "unlikely", "possible", etc., the terms themselves include a standard/objective 
definition, when taken individually or together are qualitative. They are qualitative since 
they provide a range of risk and provide a method of qualitating the level or risk in 
objective terms having standard definitions to be considered by the user. As stated 
previously, Applicant's own specification appears to recite circumstances where 
individual users are able to provide the "standardized qualitative definitions" when 
accessing the system. Without exhaustive study, some examples might include, pg. 5 
lines 26-31 to pg. 6, lines 1-4, for the proposition that new risks allow for the user to 
"augment their own knowledge and experience" to create an initial set of risks wherein 
the user "must assess each risk and assign a risk factor (Rf)." On pg 12, lines 25-31 to 
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pg. 13, lines 1-2, which teaches that new risks will allow "the engineer" to "select the 
qualitative probability definitions 82 that most closely characterizes the risk thereby 
specifying the value 80 of Pf." Further, the engineer may select from the Severity of 
Consequence tables to create a severity value for each risk as on pg 19. These 
statements suggests some level of subjectivity in Applicant's invention. In fact, the 
"standardized definitions" have inherently been derived at some point in time and where 
likely subjective or derived from some history of information. However, in addressing 
Applicant's amendments, and in light of the newly amended rejection, it is the 
Examiner's position that the qualitative probability definitions are the "levels" in Table 1 , 
and they have an associated qualitative definition as indicated below in the prior art 
rejection as paragraphs [0033-0034] describe. 

Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

6. Claims 1-14, 29-33 and 37-40 are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. 

The first step in determining whether a claim recites patent eligible subject matter 
is to determine whether the claim falls within one of the four statutory categories of 
invention recited in 35 USC 101: process, machine, manufacture and composition of 
matter. The latter three categories define "things" or "products", while a "process" 
consists of a series of steps or acts to be performed. For purposes of 101 , the analysis 
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of a process is guided by the machine-or-transformation test. In re Bilski, 545 F.3d 94, 
(Fed. Cir. 2008) (en banc). 

Based on Supreme Court precedent (Diamond v Diehr, 450 U.S. 175,184 (1981); 
Parker v. Flook, 437 US 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 63, 70 
(1972); Cochrane v. Deener, 94 U.S. 780, 787-88 (1876)) and recent precedent from 
the Federal Circuit from In re Bilski, the machine-or-transformation test is a two- 
branched inquiry; an applicant may show that a process claim satisfies § 101 either by 
showing that his claim is tied to a particular machine, or by showing that his claim 
transforms an article. See Benson, 409 U.S. at 70. Certain considerations are 
applicable to analysis under either branch. First, as illustrated by Benson, the use of a 
specific machine or transformation of an article must impose meaningful limits on the 
claim's scope to impart patent-eligibility. See Benson, 409 U.S. at 71-72. Second, the 
involvement of the machine or transformation in the claimed process must not merely 
be insignificant extra-solution activity. See Flook, 437 U.S. at 590. If neither of these 
requirements is met by the claim, the method is not a patent eligible process under 35 
U.S.C. 101. 

7. Claims 1-14, 29-33 and 37-40 are drawn to a method for managing risk. All of 

the recited method steps can be performed by the user themselves, in the mind of the 
user or between different users through writing by a user, and therefor these method 
steps are not tied to a particular machine nor do they transform an article. To qualify as 
a statutory process, the claim should positively recite in the body of the claim, the 
machine to which it is tied. For example, by identifying the particular machine that 
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accomplishes the method steps, or positively reciting the article that is being 
transformed. Furthermore, even if Applicant amends to identify a particular machine, in 
the least, it appears that any claim recitation to a particular machine would only 
constitute "involvement" that is insignificant extra-solution activity. Evidence to support 
this assertion is found in the limitations themselves when Applicant recites the storing, 
data gathering/searching and viewing/displaying of information from the database. 
Additional evidence is found in Applicant's Specification when discussion claims 29-33, 
indicating that limitations including formulating and storing a new risk mitigation plan is 
done by a Risk Review Board (pgs. 13 and 14). This evidence indicates that the steps 
of formulating, and likely implementing are done by the users, administrative or 
otherwise. In short, the method steps of storing, formulating enterprise searches, 
viewing, formulating mitigation searches, formulating new mitigation plans, storing and 
implementing are all accomplished by the users or people and not a particular machine 
and are thus insignificant extra solution activity. 

Please note that nominal recitations of a machine in an otherwise ineligible 
method fail to make the method a statutory process. See Benson, 409 U.S. at 70 - 
72. As Comiskey recognized, "the mere use of the machine to collect data necessary 
for application of the mental process may not make the claim patentable subject 
matter." Comiskey, 499 F.3d at 1380 (citing In re Grams, 888 F.2d 835, 839-40 (Fed. 
Cir. 1989)). Incidental physical limitations, such as data gathering, field of use 
limitations, storing, collecting, sending, receiving, and other forms of insignificant extra 
solution activity are not enough to convert an abstract idea into a statutory process. In 
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other words, nominal or token recitations of involvement of a machine or transformation 
in a method claim do not convert an otherwise ineligible claim into an eligible one. Ex 
parte Langemyr (2008) and In re Bilski, (Fed. Cir. 2008). 

Therefore, the applicable test to determine whether a claim is drawn to a patent- 
eligible process under § 101 is the machine-or-transformation test set forth by the 
Supreme Court and clarified herein, and Applicants' claim here appears to fail this test. 
No new matter should be added. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1-2, 7-11, 13-14, 29-33 and 42-44 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Abrahams (2005/0086090) in view of Beverina 
(2001/0027389). 

1 0. As per claim 1 and 41 , Abrahams teaches a method of managing risk related to 
a successful completion of a development project, comprising: 

storing a probability of occurrence (Pf) table having a plurality of risk categories 
(i.e. via Category 2 in Fig. 1B, that shows an example of different Categories that 
contain sub-indented risk tables such as show in Table 1 , p. 4), each said category 
having a plurality of table entries (i.e. sub-indented risk tables), each entry including a 
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category-specific standardized qualitative probability definition associated with a Pf 
rating (i.e. via the risk tables described in Fig. 1C, para [0033-0034] the risk tables are 
described as actually being qualitative wherein the definition of each level in the table 
has a qualitative definition or value associated with it, while alternatively the qualitative 
values may be used directly by an experienced user,) and a severity of consequence 
(Cf) table (via Table 2, that shows an example of different risk consequences, Table 2, 
p. 4), identified risks and existing risk mitigation plans in a shared risk database (Fig. 1C 
shows a template for an identified risk, and control [mitigation] plans, said information 
must inherently be stored within a database); and viewing the Pf table to select the one 
or more risk categories for said at least one risk (i.e. inherently accomplished and 
outlined above associating risks) and for each said category selects the qualitative 
probability definition that characterizes the risk (i.e. as describe above, the risk tables in 
Fig. 1C, para [0033-0034] are described as qualitative, wherein the definition of each 
level in the table has a qualitative definition or value associated with it, while 
alternatively the qualitative values may be used directly by an experienced user) 
thereby specifying a probability of occurrence Pf for said at least one risk; (via Table 1 , 
that shows an example of different risk probabilities, Table 1, p. 4, including the 
disclosure and use of the risk tables inherently allows for "specifying a probability of 
occurrence Pf for the risk, as recited in the "thereby" statement), 

viewing the Cf table to select a severity of consequence Cf for said at least one 
risk, (via Table 2, that shows an example of different risk consequences, Table 2, p. 4) 
said Pf and Cf being combined and ranked to define prioritized risk factor Rf (a user 
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selects inherent values of likelihood [Pf] and consequence for a risk [Cf], and ... the 
system then calculations residual levels of likelihood, consequence and risk rating for 
the risk [Pf], ^ 6, lines 6-1 1 . Further, applicant should note that a similar argument 
could be made from the Context Profile data store wherein the hierarchy could allow for 
different risks to fall under different "profiles" (i.e. categories) in particular contexts. This 
is at least one other interpretation when the reference is given a full reading); 

formulating a risk mitigation plan including at least one mitigation activity for said 
at least one risk (i.e. the primary purpose of the invention was to derive plans to mitigate 
and manage risk as shown in paragraph [0001], and via examples such as the "action 
plan" as recited in paragraphs [0061], [0065-0066], [0077] and/or Table 3) , said risk 
mitigation plan having an associated risk exposure (i.e. para [0041]) based on the risk 
factors Rf for said at least one risk; performing the at least one mitigation activity for 
said at least one risk to implement the risk mitigation plan (i.e. inherent through the user 
implementing the plan); as the risk mitigation plan is implemented over time, at least 
one said user viewing the Pf and Cf tables to reassess the at least one risk, select Pf 
and Cf and update the prioritized risk factor Rf (i.e. via para [0066-0068], [0070] and/or 
Figures 5, 7; the risk factors being prioritized as described earlier at para [0041]); 
displaying a chart of risk exposure over time; and adjusting the mitigation plan based on 
the risk exposure, (i.e. via at least para [0071] for the proposition of displaying charted 
information; The residual or inherent risk rating (having a quantitative equivalent called 
here exposure, measured for example in dollars) thus provides a measure of the risk 
exposure for the particular risk; and adjusting the mitigation plan based on the risk 
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exposure [0041] wherein the averages of the values used in each profile of various 
users is overtime [0058]. In short, the data that may be provided by "chart" such as 
spreadsheet or otherwise in the Abrahams et al. invention is analyzed, collected and 
displayed over "time.") 

However, Abrahams fails to explicitly disclose 

via a web browser, a plurality of users, formulating an enterprise search of the 
risk database to identify at least one risk. 

Beverina in the same field of endeavor [risk management systems] teaches a 
web browser (Fig. 3), a plurality of users (Fig. 1 ), formulating an enterprise search of the 
risk database to identify at least one risk (via 1f 361 , "the user can also search the sites 
for particular information" where the particular information is a risk, and formulating a 
mitigation search of the risk database to identify existing risk mitigation plans for the 
identified risk to enhance the development of new mitigation plans or share with other 
programs the resources to implement the mitigation plan, (via "risk mitigation [that] also 
uses threat and countermeasure characteristics in making decisions. Various 
countermeasures are compared to the specific threat to determine which ones are most 
effective at mitigating the risk of the threat against the target", Examiner construes this 
to be the equivalent of a mitigation plan search as it evaluates existing plans to provide 
the user with the best alternatives. If 307, lines 9-13) 

It would have been obvious to one skilled in the art at the time of invention to 
combine the risk management system taught by Abrahams with the risk management 
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system features of Beverina. Motivation for the combination is a system with more 
features that should produce better risk management analysis and techniques. 
11. As per claim 2, Abrahams teaches the method wherein the probability of 
occurrence table has a plurality of risk categories, each said category having table 
entries that include standardized qualitative probability definitions, (via Table 1 , p. 4, 
that shows the plurality of categories ranging from rare to almost certain, and the 
standardized qualitative probability definitions for each category of risk). Statements 
reciting "wherein the users view the cost and schedule impact categories and the 
standardized qualitative impact definitions for each said at least one risk to select the Cf 
rating, said displayed risk exposure including a cost exposure and a schedule exposure 
that are based on the project-specific amounts associated with the selected Cf rating" 
only point to viewing displayed information. Steps regarding the subjectivity of selecting 
Cf ratings have previously been addressed. Regardless, even though the combination 
fails to disclose the use of cost and schedule impact categories, the specific type of 
categories are deemed to be nonfunctional descriptive material and is not functionally 
involved in the steps recited. The storing, formulating and viewing steps would be 
performed the same regardless of what type of categories are used. Thus this 
descriptive material will not distinguish the claimed invention from the prior art in terms 
of patentability, see In re Gulack, 703 F .2d 1381, 1385, 217 USPQ 401, 404 
(Fed.Cir.1983); In re Lowry, 32 F .3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994) and 
MPEP 2106.01. As is described throughout the remaining claim rejections, cost 
impact is described throughout Abrahams et al. 
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12. As per claim 7, Abrahams fails to explicitly disclose the method wherein the 
enterprise search includes a combination of at least two parameters including current or 
historic, risk factor, vendor, component, functional area, category, key work in risk title, 
key work in risk description, IPT, actionee, actionee/team, lead/submitter, or risk 
number. However, Beverina, in the same field of endeavor [risk management systems], 
teaches searches "by categories such as threat type, risk, score and others" (If 363, 
lines 3-5). Examiner construes risk to be the current risk factor, and threat type to be 
the category. It would have been obvious to one skilled in the art at the time of 
invention to combine the risk management system taught by Abrahams with the risk 
management system search features of Beverina. Motivation for the combination is a 
system where users have easier access to past records, and therefore can use past 
results easier. 

13. As per claim 8, Abrahams teaches at least one risk including a combination of 
risk number, program, risk title and a current risk factor (Fig. 1 B displays the risk 
number next to the risk, and a program is detailed under each consequence [Examiner 
construes a program to be a series of steps, in this case the program is the corrective 
controls], Fig. 1C displays the title, as well as the risk rating). However, Abrahams fails 
to explicitly disclose that this information is retrieved via a search. Beverina, in the 
same field of endeavor [risk management systems], teaches searches "by categories 
such as threat type, risk, score and others" (If 363, lines 3-5). It would have been 
obvious to one skilled in the art at the time of invention to combine the risk management 
system taught by Abrahams with the risk management system search features of 
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Beverina. Motivation for the combination is a system where users have easier access 
to past records, and therefore can use past results easier. 

14. As per claim 9, Abrahams fails to explicitly disclose the method wherein the web 
browser provides a transfer link from said at least one risk with its risk mitigation plan to 
import the selected risk and mitigation plan into another program. However, Beverina, 
in the same field of endeavor [risk management systems], teaches that "Results from 
local VAT 200 sessions are transferred to the TIMS 130, in the form of the VAT 
Database 220, and stored in a database along with sessions from other sites." fl[ 364) 
Fig. 1 further illustrates this detail as risk mitigation plans are created and stored, until 
they are imported into the TIMS program. It would have been obvious to one skilled in 
the art at the time of invention to combine the risk management system taught by 
Abrahams with the risk management system features of Beverina. Motivation for the 
combination is a system with more features that should produce better risk 
management analysis and techniques. 

1 5. As per claim 10, Abrahams fails to explicitly disclose the method wherein the 
mitigation search includes a combination of at least two parameters including a risk 
description, risk status, start date, original planned complete date, planned complete 
date, and complete date. However, Beverina, in the same field of endeavor [risk 
management systems], teaches that users can "search and browse the data from the 
individual VAT 200 sessions by categories such as threat type, risk, score and others." 

363) Figure 50 shows a calendar within that VAT 200 for entry of start and 
completion dates. A user therefore, would be able to do a mitigation search including 
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the parameters of start date and complete date. It would have been obvious to one 
skilled in the art at the time of invention to combine the risk management system taught 
by Abrahams with the risk management system features of Beverina. Motivation for the 
combination is a system with more features that should produce better risk 
management analysis and techniques. 

16. As per claim 1 1 , Abrahams fails to explicitly disclose the method further 
including automatically generating risk reports including identified risks, prioritized risk 
factors, and mitigation plans. However, Beverina, in the same field of endeavor [risk 
management systems], teaches that users can "create, edit and delete report formats to 
create new and customized reports to meet future needs" fl| 374, lines 6-7). A user 
would be enabled to create risk reports including the identified risk, prioritized risk 
factors, and mitigation plans. It would have been obvious to one skilled in the art at the 
time of invention to combine the risk management system taught by Abrahams with the 
risk management reporting feature of Beverina. Motivation for the combination is a 
system with more features that should produce better risk management analysis and 
techniques as well as easier sharing of information. 

1 7. As per claim 13, Abrahams fails to explicitly disclose the method wherein the 
web browser has an interface that includes a menu bar with pull-down menu items and 
menu sub-items for viewing the current program, conducting the enterprise search and 
conducting the mitigation search and hyperlinks to the Pf and Cf tables. However, 
Beverina, in the same field of endeavor [risk management systems] teaches a web 
browser (Fig. 3), with pull-down menu items [viewable in the drawing] and menu sub- 
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items for viewing the current program [viewable in the drawing], conducting the 
enterprise search [via the search box] and conducting the mitigation search [via the 
search box] and hyperlinks to the Pf and Cf tables [via the THREATS and 
VULNERABILITY hyperlinks in the drawing]. It would have been obvious to one skilled 
in the art at the time of invention to combine the risk management system taught by 
Abrahams with the web based feature of Beverina. Motivation for the combination is a 
system with more features that should produce better risk management analysis and 
techniques as well as easier navigation of information. 

18. As per claim 14, Abrahams teaches the method wherein the identified risks, risk 
factors, and mitigation plans for each user are stored in the shared risk database. 
Figure 1B shows the "knowledge base" construed by Examiner to be a database, 
containing identified risks, risk factors, and mitigation plans [Examiner construes the 
corrective control and the preventative control to be a mitigation plan]. 

1 9. As per claim 29, it is asserted that Abrahams teaches formulating a mitigation 
search of the risk database to identify existing risk mitigation plans for the identified risk 
to enhance the development of new mitigation plans or share with other programs the 
resources to implement the mitigation plan. 

In addressing new claims 29-32 and 34-36, it is asserted that the inherent 
teachings of Abrahams itself render the limitations of these claims unpatentable. For 
example, as explained in the 101 rejection of record, Applicant's disclosure recites that 
the risk mitigation is a product of a risk review board that looks to past risks and 
suggests new mitigation plans based on the old plans including preventative and 
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corrective controls. In this respect, Abrahams in Figure 1 B shows a system by which 
existing risk records are used in profiles and new risk records are stored in a knowledge 
database for use by others. Abrahams states unequivocally in paragraph [0053] that 
the knowledge base learns over time thereby implying that his system is capable of 
being used to modify the overall process. Other similar recitations occur in paragraphs 
[0019], [0058], [0064], and [0070]. 

If Applicant disagrees with the Examiner's interpretation of Abrahams, then 
Beverina in the same field of endeavor [risk management systems] teaches a web 
browser (Fig. 3), a plurality of users (Fig. 1 ), formulating an enterprise search of the risk 
database to identify at least one risk (via 361 , "the user can also search the sites for 
particular information" where the particular information is a risk, and formulating a 
mitigation search of the risk database to identify existing risk mitigation plans for the 
identified risk to enhance the development of new mitigation plans or share with other 
programs the resources to implement the mitigation plan, (via "risk mitigation [that] also 
uses threat and countermeasure characteristics in making decisions. Various 
countermeasures are compared to the specific threat to determine which ones are most 
effective at mitigating the risk of the threat against the target", Examiner construes this 
to be the equivalent of a mitigation plan search as it evaluates existing plans to provide 
the user with the best alternatives. If 307, lines 9-13) 

It would have been obvious to one skilled in the art at the time of invention to 
combine the risk management system taught by Abrahams with the risk management 
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system features of Beverina. Motivation for the combination is a system with more 
features that should produce better risk management analysis and techniques. 

20. As per claim 30, Abrahams and Beverina teach the method of claim 29, wherein 
the mitigation search identifies both successful and unsuccessful existing risk mitigation 
plans, (i.e. at least Abrahams and/or Beverina teach that the plans are stored, and 
therefore by that very nature both good and bad plans will be accessible wherein the 
knowledge base collects new risk records wherein the risk records include the mitigation 
or preventative and corrective controls.) 

21 . As per claim 31 , Abrahams and Beverina teach the method of claim 29, further 
comprising: aggregating the risk mitigation plans from a plurality of different users and 
different programs to update and store a risk mitigation plan on the shared database, 
(i.e. as taught by at least Abrahams wherein the knowledge base collects new risk 
records wherein the risk records include the mitigation or preventative and corrective 
controls.) 

22. As per claim 32, Abrahams and Beverina teach the method of claim 29, further 
comprising: sharing resources with other programs to implement the mitigation plan, 
(i.e. in the least via the use over the internet which inherently interacts with other 
programs, such as user interfaces.) 

23. As per claim 33, Abrahams and Beverina teach the method of claim 29, where 
the risk mitigation plan includes a number of activities, each activity including a 
description and an assigned Pf and Cf rating, (i.e. this assignment is inherent in the 
methods described in the prior art, since each project will include categories and risks 
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that will have associated Pf and Cf ratings when they have already been performed and 
placed in the knowledge database. Essentially, projects already completed will have 
been given ratings.) 

24. As per claim 42, the combination of Abrahams and Beverina teach the system 
of claim 41 , wherein the cost impact category includes multiple sub-categories each 
having a project-specific amount, each said sub-category being assigned its own Cf 
ratings said respective Cf ratings used to determine the displayed cost exposure for the 
different sub-categories. This claim is rejected under a similar rationale as that of claim 
21 . It is inherent that the Cf ratings as described throughout the rejection are being 
used to determine exposure. Cost impact is described throughout at least the 
Abrahams et al. reference. Please note there appears to be no structural limitations in 
the system claim. It is believed that the prior art is capable of Applicant's intended use. 

25. As per claim 43, the combination of Abrahams and Beverina teach the system 
of claim 42, wherein the sub-categories include development cost (NKE), unit cost 
(DTC) and operations and support (OJS). Please note that the actual sub-categories 
are considered non-functional descriptive material and there appears to be no structural 
limitations in the system claim. It is believed that the prior art is capable of Applicant's 
intended use. 

26. As per claim 44, Abrahams and Beverina teach the system of claim 41 , wherein 
the maximum Cf rating for the multiple sub-categories is combined with the maximum Pf 
for the one or more risk categories to define the prioritized risk factor Rf. Please note 
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there appears to be no structural limitations in the system claim. It is believed that the 
prior art is capable of Applicant's intended use. 

27. Claims 3-6 and 12 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Abrahams (2005/0086090) and Beverina (2001/0027389) in view 
of Examiner's Official Notice. 

28. As per claim 3, Abrahams discloses the method further comprising tailoring the 
probability of occurrence table to the select few categories that are relevant to the 
development project, (i.e. it is inherent in the teaching of Abrahams that a user may 
reduce or add more categories depending on the project or the number of categories 
one wishes to consider. Subsequently, any associated Pf tables as described in claim 1 
would be on the shared risk database in Fig. 1 B.) However, Abrahams fails to 
explicitly disclose that this is done via a web browser. Beverina, in the same field of 
endeavor [risk management systems], teaches a browser based risk management 
system. It would have been obvious to one skilled in the art at the time of the invention 
to use the system taught by Abrahams in a web based environment as taught by 
Beverina. Motivation to combine the two is present as a web based risk management 
system allows users in remote locations to easily modify and update risk profiles. 
Furthermore, the use or restriction of user access, or limiting access to an administrator 
is well known in the art of computer programming. Several systems such as Microsoft 
operating systems use such features to limit access for users. Similarly there are 
security programs that operate in similar fashion for the proposition of preventing 
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access to certain features of an operating system. Examiner takes Official Notice with 
respect to administrative access to a system. 

29. As per claim 4, the combination of Abrahams and Beverina teaches the claimed 
invention as mentioned in claim 1 , above. Abrahams further teaches the method 
wherein the severity of consequence table has a schedule impact category with the 
table entries having a cost impact category with the table entries specifying multiple 
sub-categories of cost impacts in actual dollars for the development project. (Table 2, 
p. 4) However, the Abrahams and Beverina combination fails to explicitly disclose table 
entries specifying an amount in days, weeks or months. Examiner takes Official Notice 
that it is old and well known in the art of project management to measure negative 
impacts upon projects like delays in units of time such as days, weeks, or months. It 
would have been obvious to one skilled in the art at the time of invention to combine the 
table taught by Abrahams and Beverina with Examiner's Official Notice. Motivation to 
combine is to have an additional quantifiable way to measure consequences of a 
particular outcome. The user selecting Cf values has been addressed previously in 
claim 1 . Regardless, even though the combination fails to disclose the use of cost and 
schedule impact categories, the specific type of categories are deemed to be 
nonfunctional descriptive material and is not functionally involved in the steps recited. 
The storing, formulating and viewing steps would be performed the same regardless of 
what type of categories are used. Thus this descriptive material will not distinguish the 
claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F .2d 
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1381, 1 385, 217 USPQ 401 , 404 (Fed.Cir.1 983); In re Lowry, 32 F .3d 1 579, 32 
USPQ2d 1031 (Fed.Cir. 1994) and MPEP 2106.01. 

30. As per claim 5, Abrahams teaches the method wherein said multiple sub- 
categories include development cost (NRE), unit cost (DTC) and operations and support 
(O/S) categories, (via "in one mode of use, the inherent risk impact cost is aggregated 
over the inherent cost of each consequence of the risk" where consequences of each 
risk would inherently include development cost, unit cost, and operations and support 
costs, If 7, lines 1 5-1 7). Sub-categories are also taught in Abrahams et al., and the risk 
exposure is displayed as taught previously in claim 1 and 2. Regardless, even though 
the combination fails to disclose the use of multiple sub-impact categories, the specific 
type of categories are deemed to be nonfunctional descriptive material and is not 
functionally involved in the steps recited. The storing, formulating, viewing and 
displaying steps would be performed the same regardless of what type of categories are 
used. Thus this descriptive material will not distinguish the claimed invention from the 
prior art in terms of patentability, see In re Gulack, 703 F .2d 1 381 , 1 385, 21 7 USPQ 
401, 404 (Fed.Cir.1983); In re Lowry, 32 F .3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994) 
and MPEP 2106.01. 

31 . As per claim 6, the combination of Abrahams and Beverina and Examiner's 
Official Notice teaches the claimed invention as mentioned in claim 4, above. 
Abrahams further teaches the method further comprising the severity of consequence 
table to select the cost impact sub-categories and specify their dollar amounts (Table 2, 
p. 4 shows the severity of consequence table which includes cost impact sub-categories 
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and dollar ranges.) Abrahams further teaches a shared risk database for storage as 
shown in Fig. 1 B, element 1 1 . Furthermore, the use or restriction of user access, or 
limiting access to an administrator is well known in the art of computer programming. 
Several systems such as Microsoft operating systems use such features to limit access 
for users. Similarly there are security programs that operate in similar fashion for the 
proposition of preventing access to certain features of an operating system. Examiner 
takes Official Notice with respect to administrative access to a system. With respect to 
the specifics of the sub-categories, the specific type of categories are deemed to be 
nonfunctional descriptive material and is not functionally involved in the steps recited. 
The storing, formulating and viewing steps would be performed the same regardless of 
what type of categories are used. Thus this descriptive material will not distinguish the 
claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F .2d 
1381, 1385, 217 USPQ 401,404 (Fed.Cir.1983); In re Lowry, 32 F .3d 1579, 32 
USPQ2d 1031 (Fed. Cir. 1994) and MPEP 2106.01. 

32. As per claim 12, the combination of Abrahams and Beverina teaches the 
claimed invention as mentioned in claim 1 1 , above. However, the Abrahams and 
Beverina combination fails to explicitly teach the method wherein a risk review board 
(RRB) report is generated by submitting minutes for a RRB meeting by entering 
information for each risk covered during a RRB meeting and entering the date of the 
RRB meeting; and submitting the minutes to generate the RRB report including 
Number, Title, Actionee, Rf, Risk Level and Comments for each risk. Examiner takes 
Official Notice that it is old and well known in the art of meetings to generate and submit 
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minutes. Examiner further takes Official Notice that it is old and well known in the art of 
recording minutes to record topics discussed as well as the date of the meeting. 
Beverina, teaches that clauses of a report can include "Data values in the database and 
results from simple queries of the database that return text or simple data values" fl[ 
429-432). These results would include information such as Risk Factors, Risk Level 
and Comments. It would have been obvious to one skilled in the art at the time of 
invention to combine the system of Abrahams with the reporting features of Beverina in 
view of Examiner's Official Notice. Motivation to combine is increased communication 
within a risk management setting. 

33. Claims 19-20, 22-24, 34-36 and 41 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Abrahams (2005/0086090) and Beverina (2001/0027389) 
in view of Heinrich (6,895,383). 

34. As per claim 19 and 41, Abrahams teaches a web-based risk management 
system for managing risk related to a successful completion of a development project, 
comprising: 

a server comprising a shared risk database that stores a probability of 
occurrence (Pf) table (via Table 1, that shows an example of different risk probabilities, 
Table 1 , p. 4) and a severity of consequence (Cf) table (via Table 2, that shows an 
example of different risk consequences, Table 2, p. 4), risk identification information and 
risk mitigation information (Fig. 1C shows a template for an identified risk, and control 
[mitigation] plans, where said information must inherently be stored within a database); 
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However, Abrahams fails to explicitly disclose a web-based risk management 
tool on the server that provides standardized interfaces for searching, viewing and 
entering information to and from the shared risk database via a web browser, an 
intranet, and a plurality of computer workstations in communication with the server via 
the intranet, each said workstation provided with a web browser to search the database 
using the standardized interfaces to identify risks, to select entries from the Pf and Cf 
tables to calculate and prioritize a risk factor Rf for each risk, and to search the 
database to identify existing risk mitigation plans for the prioritized risks. 

Beverina, in the same field of endeavor [risk management systems] teaches 
each said work station provided with a web browser to search the database using the 
standardized interfaces to identify risks (Fig. 3) and risk categories for each identified 
risk (i.e. as taught previously in Abrahams et al. as in claim 1 and/or Beverina himself 
when identifying risk), to select entries from the Pf and Cf tables [via the THREATS and 
VULNERABILITY hyperlinks in the drawing], to calculate and prioritize a risk factor Rf 
for each risk (where the calculation is accomplished by "calculating a probability that an 
event will occur; calculating a vulnerability to the event; and calculating a relative risk 
based on the probability and vulnerability", Claim 13, and prioritizing a risk factor is done 
by "clicking on a column heading will sort and group the table based on that column", 
Fig. 16). It would have been obvious to one skilled in the art at the time of invention to 
combine the system taught by Abrahams with the browser abilities of Beverina. 
Motivation to combine is easier access to the system. 
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However, Abrahams and Beverina both fail to disclose an intranet and a plurality 
of workstations in communication with the server via the communications network. 
Heinrich, in the same field of endeavor [risk management] teaches "a system containing 
a user computer, a network, and a security computer", (Col. 15, lines 46-47) and that 
the network "may also represent a corporate extranet or intranet" (Col. 15, lines 53-55). 
It would have been obvious to one skilled in the art at the time of invention to combine 
the combination of Abrahams and Beverina with the network of Heinrich. Motivation for 
the combination is to create a risk management system with easy system interaction 
and easy user communication. Regardless, much of Applicants structural claims only 
recite intended use of the apparatus; therefore, it is the Examiner's position that the 
structure is capable of Applicant's intended purpose. 

35. As per claim 20, Abrahams fails to explicitly disclose the method wherein the 
web browser has an interface that includes a menu bar with pull-down menu items and 
menu sub-items for viewing the current program, conducting the enterprise search and 
conducting the mitigation search and hyperlinks to the Pf and Cf tables. However, 
Beverina, in the same field of endeavor [risk management systems] teaches a web 
browser (Fig. 3), with pull-down menu items [viewable in the drawing] and menu sub- 
items for viewing the current program [viewable in the drawing], conducting the 
enterprise search [via the search box] and conducting the mitigation search [via the 
search box] and hyperlinks to the Pf and Cf tables [via the THREATS and 
VULNERABILITY hyperlinks in the drawing]. It would have been obvious to one skilled 
in the art at the time of invention to combine the risk management system taught by 
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Abrahams with the web based feature of Beverina. Motivation for the combination is a 
system with more features that should produce better risk management analysis and 
techniques as well as easier navigation of information. At least one mitigation activity is 
associated with the plan and is formulated, as described in claim 1 . Regardless, much 
of Applicants structural claims only recite intended use of the apparatus; therefore, it is 
the Examiner's position that the structure is capable of Applicant's intended purpose. 
36. As per claim 22, the Abrahams and Heinrich combination fails to explicitly 
disclose the system wherein the workstation via the web browser submits an enterprise 
search that includes a combination of at least two parameters including current or 
historic, risk factor, vendor, component, functional area, category, key word in risk title, 
key word in risk description, IPT, actionee, actionee/team lead/submitter or risk number 
and the server returns via the web browser an enterprise search results list including for 
at least one risk a combination of risk number, program, risk title, a current risk factor 
and its risk mitigation plan.. However, Beverina, in the same field of endeavor [risk 
management systems], teaches searches "by categories such as threat type, risk, score 
and others". Examiner construes risk to be the current risk factor, and threat type to be 
the category. Beverina further teaches that users can "search and browse the data 
from the individual VAT 200 sessions by categories such as threat type, risk, score and 
others." (H 363) Figure 50 shows a calendar within that VAT 200 for entry of start and 
completion dates. A user therefore, would be able to do a mitigation search including 
the parameters of start date and complete date. Finally, Beverina teaches a web 
browser enterprise search (Fig. 3 via the search option). It would have been obvious to 
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one skilled in the art at the time of invention to combine the system of Abrahams and 
Heinrich with the tools of Beverina. Motivation to combine is creation of a risk 
management system with easier access to information and ease of modification. 
Regardless, much of Applicants structural claims only recite intended use of the 
apparatus; therefore, it is the Examiner's position that the structure is capable of 
Applicant's intended purpose. 

37. As per claim 23, the Abrahams and Heinrich combination fails to explicitly 
disclose the system wherein the workstation via the web browser submits a mitigation 
search that includes a combination of at least two parameters including a risk 
description, risk status, start date, original planned complete date, planned complete 
date and complete date and the server returns existing mitigation plans that satisfy the 
search parameters. However, Beverina, in the same field of endeavor [risk 
management systems], teaches that users can "search and browse the data from the 
individual VAT 200 sessions by categories such as threat type, risk, score and others." 

363) Figure 50 shows a calendar within that VAT 200 for entry of start and 
completion dates. A user therefore, would be able to do a mitigation search including 
the parameters of start date and complete date. It would have been obvious to one 
skilled in the art at the time of invention to combine the risk management system taught 
by Abrahams and Heinrich with the risk management system features of Beverina. 
Motivation for the combination is a system with more features that should produce 
better risk management analysis and techniques. Regardless, much of Applicants 
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structural claims only recite intended use of the apparatus; therefore, it is the 
Examiner's position that the structure is capable of Applicant's intended purpose. 

38. As per claim 24, the Abrahams and Heinrich combination fails to explicitly 
disclose the system wherein the workstations automatically submit identified risks, risk 
factors and mitigation plans to the shared database, said server automatically 
generating risk reports including identified risks, prioritized risk factors and mitigation 
plans for the current project. However, Beverina, in the same field of endeavor [risk 
management systems], teaches that users can "create, edit and delete report formats to 
create new and customized reports to meet future needs" (U 374, lines 6-7). A user 
would be enabled to create risk reports including the identified risk, prioritized risk 
factors, and mitigation plans. It would have been obvious to one skilled in the art at the 
time of invention to combine the risk management system taught by Abrahams and 
Heinrich with the risk management reporting feature of Beverina. Motivation for the 
combination is a system with more features that should produce better risk 
management analysis and techniques as well as easier sharing of information. 
Regardless, much of Applicants structural claims only recite intended use of the 
apparatus; therefore, it is the Examiner's position that the structure is capable of 
Applicant's intended purpose. 

39. As per claim 34, Abrahams, Berverina and Heinrich teach the system of claim 
19, wherein existing risk mitigation plans for different risks are stored in the shared 
database, said web browser configured to formulate a mitigation search of the risk 
database to identify existing risk mitigation plans for the identified risk, formulate a new 
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risk mitigation plan that's builds upon the one or more existing risk mitigation plans, and 
store the new risk mitigation plan on the shared database. Claim 34 is rejected under a 
similar rationale as that of claim 29 supra. Regardless, much of Applicants structural 
claims only recite intended use of the apparatus; therefore, it is the Examiner's position 
that the structure is capable of Applicant's intended purpose. 

40. As per claim 35, Abrahams, Berverina and Heinrich teach the system of claim 
34, wherein the mitigation search identifies both successful and unsuccessful existing 
risk mitigation plans. Claim 35 is rejected under a similar rationale as that of claim 30. 
Similarly limitations directed to "said risk mitigation plan having an associated risk 
exposure based on the risk factors Rf, display chart of risk exposure over time and 
facilitate adjustments to the mitigation plan based on the risk exposure" are similarly 
rejected over a similar rationale as that of similar limitations in claim 1 . Regardless, 
much of Applicants structural claims only recite intended use of the apparatus; 
therefore, it is the Examiner's position that the structure is capable of Applicant's 
intended purpose. 

41 . As per claim 36, Abrahams, Berverina and Heinrich teach the system of claim 
34, wherein the web browser facilitates sharing resources with other programs to 
implement the mitigation plan. Claim 36 is rejected under a similar rationale as that of 
claim 32. Regardless, much of Applicants structural claims only recite intended use of 
the apparatus; therefore, it is the Examiner's position that the structure is capable of 
Applicant's intended purpose. 
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42. Claims 21 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Abrahams (2005/0086090), Beverina (2001/0027389), and Heinrich (6,895,383) in 
view of Examiner's Official Notice. 

43. As per claim 21 , the combination of Abrahams, Beverina and Heinrich teaches 
the claimed invention as mentioned in claim 19, above. Abrahams further teaches the 
system wherein the PF table has a plurality of risk categories, each said category 
having table entries that include standardized qualitative probability definitions (via 
Table 1, that shows an example of different risk probabilities, Table 1, p. 4) and the Cf 
table having a cost impact category with table entries for specifying multiple sub- 
categories of cost impacts in actual dollars for the development project, (via Table 2, 
that shows an example of different sub-categories, Table 2, p. 4) and tailoring the Pf 
table to have few categories that are relevant to the current project (fl 6, lines 7-8 teach 
that a user can select inherent values of likelihood and consequence for a risk [this data 
coming from Table 1 on p. 4]). 

However, the Abrahams, Beverina and Heinrich combination fails to teach a schedule 
impact category with table entries for specifying a schedule impact amount in days, 
weeks or months and a web browser providing administrative access. 

Examiner takes Official Notice that it is old and well known in the art of project 
management to measure negative impacts upon projects like delays in units of time 
such as days, weeks, or months. It would have been obvious to one skilled in the art at 
the time of invention to combine the table taught by Abrahams and Heinrich with 
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Examiner's Official Notice. Motivation to combine is to have an additional quantifiable 
way to measure consequences of a particular outcome. 

Beverina, further teaches a web browser (Fig. 3), and administrative access (via 
Fig. 1 where the Senior Commander is the administrative access). It would have been 
obvious to one skilled in the art at the time of invention to combine the system of 
Abrahams, Beverina, and Heinrich in view of Examiner's Official Notice with the 
additional features of Beverina. Motivation to combine is to create a risk management 
system with more detailed information and easier access. Regardless, much of 
Applicants structural claims only recite intended use of the apparatus; therefore, it is the 
Examiner's position that the structure is capable of Applicant's intended purpose. 



Conclusion 

44. The Examiner has pointed out particular references contained in the prior art of 
record, within the body of this action for the convenience of the Applicant. Although the 
specified citations are representative of the teachings in the art and are applied to the 
specific limitations within the individual claim, other passages and figures may apply. 
Applicant, in preparing the response, should consider fully the entire reference as 
potentially teaching all or part of the claimed invention, as well as the context of the 
passage as taught by the prior art or disclosed by the Examiner. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Michael M. Thompson whose telephone number is (571) 
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270-3605. The examiner can normally be reached on Monday thru Friday 8am-5:30 
except Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Weiss can be reached on (571) 272-6812. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Michael M Thompson/ 
Examiner, Art Unit 3629 
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Supervisory Patent Examiner, Art Unit 3629 



